WU Ji-yi,PING Ling-di,FAN Rong,Zhijie Lin

2008-01-01

Abstract:With the increasing demand of computer networks security,the distributed intrusion detection technology becomes an important research area.However,the traditional distributed intrusion detection systems have some shortcomings in certain aspects,such as distributivity,flexibility,interoperability,detecting efficiency,and insider threat avoidance etc.To deal with the insider threat more effectively,P2P overlay IDS based on an adaptive trust alert correlation was proposed.Under JXTA P2P framework,a P2P overlay IDS prototype system was implemented,and its effectiveness to prevent the spread of a real Internet worm was evaluated over an emulated network.The experiment results show the P2P overlay IDS significantly increases the overall survival rate of vulnerable peers in network.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

JunPeng Mao,Yanli Cui,JianHua Huang,JianBiao Zhang

DOI: https://doi.org/10.1109/iita.2008.405

2008-01-01

Abstract:With peer-to-peer (P2P) technology widely applied, P2P network have become an attacked target of viruses and other malicious code. Among them, pollution attacking of resource is one of most serious threat to P2P file share system. In order to improve the security and transmitting efficiency of P2P network, construct pollution disseminating model of P2P network and analyze the disseminating behavior of polluted resource and legal resource. Main conclusion including, 1) the fluctuation of resource's popularity effects greatly on disseminating behavior of polluted resource, however, a high popularity of polluted resource do not always means to a fast disseminating ratio; 2) The longer resource's disseminating time, the less effect of resource's popularity to the disseminating behavior of polluted and legal resource. 3) The relation between disseminating ratio of polluted resource and share-degree or cognition-degree is inverse ratio, however, disseminating ratio of legal resource approximately exponentially increase with above two factors.

Li Xiao,Yunhao Liu

2004-01-01

Abstract:Current and future Internet and distributed systems rely on both centralized client-server model and decentralized peer-to-peer (P2P) model. P2P model is an emerging technology aiming to effectively utilize and manage increasingly large and globally distributed information and computing resources, complementing the available client-server services. In order to truly adopt the P2P model for deploying large-scale Internet applications, and timely merge this model as an indispensable component in the main stream of distributed computing technology, we must address several major technical challenges including the efficiency of overlay networks, cost-effective P2P information search, and privacy and security protection of peers. This dissertation focuses on addressing two critical issues. The first issue is topology mismatch problem between P2P overlay networks and the underlying physical networks in unstructured P2P systems. Addressing topology mismatch problem can fundamentally improve overall search performance of P2P systems. We demonstrate the seriousness of the topology mismatch problem, and define an optimal overlay problem that is proved to be a NP-hard problem. We then develop several effective schemes and algorithms to alleviate the topology mismatch problem. Our proposed algorithms are completely distributed, scalable and effective. Simulation studies show that the total traffic and response time of the queries can be significantly reduced by these schemes without shrinking the search scope. The second issue is overlay distributed denial-of-service (DDoS) attack in P2P systems. Most previous security techniques protect networks from network-layer DDoS attacks, but cannot be applied to overlay DDoS attacks. We propose a distributed and scalable method, DD-POLICE, to detect malicious nodes in order to defend P2P systems from overlay flooding-based DDoS attacks. We show the effectiveness of DD-POLICE by simulation studies and implementation on Gnutella 0.6 protocols. We believe that widely employing these proposed approaches will make P2P systems more scalable and robust.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1109/ICCIS.2008.4670732

2008-01-01

Abstract:Distributed defense of DDoS (Distributed Denial of Service) attack has been extensively researched in recent years and control-based defense is a hopeful way. However, existed methods only deal with bandwidth protection. The paper takes defense of DDoS flood as a kind of Processing and Bandwidth Resources allocation and solves it using control theory. Our defense mechanism FFDRF (Feedback Filtering with Dual-Resource Fairness) sets up filters in edge routers of AS and adjusts the filtering thresholds through feedback between these routers and the victim. The simulation results show that FFDRF can make the legitimate traffic keep high survival rate while is stable and converges quickly even in case of heterogeneous flow sources and link conditions. Compared with level-k max-min fairness defense, FFDRF is more effective against CPU-consuming flood. And an implementation of FFDRF in a linux router indicates that FFDRF is feasible in real-life routers. © 2008 IEEE.

Yingjie Xia,Guanghua Song,Yao Zheng,Jun Ni,Mingzhe Zhu

DOI: https://doi.org/10.1109/ICICSE.2008.7

2008-01-01

Abstract:This paper introduces a small world overlay Peer- to-peer (P2P) transfer system with role based and reputation based access control policies, through which we are able to solve several serious problems existed in traditional P2P systems, like resource piracy, user privacy and network jam. The role based access control policy is implemented by the certificate based cryptography, e.g. X509. The reputation based access control policy consists of artificial scoring and automatic scoring components, corresponding to the quality and quantity evaluation of the transfer resources respectively. This system, upon the two policies and the adaptive small world overlay P2P topology, can restrict the peer's role and select a more credible peer to upload and download without any loss of performance, for the reason of the dramatic topology. Indeed it provides a secure, controllable and efficient resource transfer community.

Bingshuang Liu,Skyler Berg,Jun Li,Tao Wei,Chao Zhang,Xinhui Han

DOI: https://doi.org/10.1109/ICCCN.2014.6911808

2014-01-01

Abstract:Distributed reflective denial of service (DRDoS) attacks, especially those based on UDP reflection and amplification, can generate hundreds of gigabits per second of attack traffic, and have become a significant threat to Internet security. In this paper we show that an attacker can further make the DRDoS attack more dangerous. In particular, we describe a new DRDoS attack called store-and-flood DRDoS, or SF-DRDoS. By leveraging peer-to-peer (P2P) file-sharing networks, SF-DRDoS becomes more surreptitious and powerful than traditional DRDoS. An attacker can store carefully prepared data on reflector nodes before the flooding phase to greatly increase the amplification factor of an attack. We implemented a prototype of SF-DRDoS on Kad, a popular Kademlia-based P2P file-sharing network. With real-world experiments, this attack achieved an amplification factor of 2400 on average, with the upper bound of attack bandwidth at 670 Gbps in Kad. Finally, we discuss possible defenses to mitigate the threat of SF-DRDoS.

Lei Hou,Haixin Duan,Jianping Wu

DOI: https://doi.org/10.1109/CIT.2010.184

2010-01-01

Abstract:In Peer-to-Peer (P2P) networks a malicious peer can control the direction of the traffic after it controls lots of bots. This paper focus on defending Distributed Denial of Service (DDoS) attack in P2P networks by selecting the most active peer with its credit values which is recorded in a period of Credit Construction time. The Credit values can be updated in the lest period. We propose Scheduler to compute local credit values and maintain the global trust relationships. In order to assess the effectiveness of the above techniques, we extend Sybil attack and DDoS attack in simulator tool named p2psim-0.3 and implement distinguishing master and updating credit algorithms. Although we adopt tapestry protocol and Euclidean topology to implement the algorithms, the same methodology can be applied to other DHT (Distributed Hash Table)_based lookup protocols in P2P networks and topologies as well.

Yinan Jing,Zheng Xiao,Xueping Wang,Gendu Zhang

DOI: https://doi.org/10.1109/icniconsmcl.2006.159

2006-01-01

Abstract:Distributed denial-of-service attack has become one of the major threats to Internet today. And the distributed nature of DDoS problem needs a distributed solution. In this paper, we propose using a hierarchical domain-aware overlay to construct a built-in distributed rate limit framework throughout the Internet. And we leverage the IP traceback technique to avoid collateral damage on legitimate traffic and mitigate DDoS effect near attack sources as possible as we can. This defense framework is a serviceoriented economic model that not only motivates ISPs to deploy it, but also benefits all participants.

Yinan Jing,Xueping Wang,Xiaochun Xiao,Gendu Zhang

2006-01-01

Journal of Information and Computational Science

Abstract:Distributed denial-of-service attack has become one of the major threats to Internet today. The distributed nature of DDoS problem needs a distributed solution. In this paper, we propose using a hierarchical domain-aware overlay to construct a secure cooperative environment for distributed rate limit. This distributed defense framework has a service-oriented economic model that not only motivates ISPs to deploy it, but also benefits all participants. In addition, an IP traceback-based rate limit algorithm is proposed to leverage the IP traceback technique not only to mitigate the DDoS attack effect as close to attack sources as possible, but also to improve the throughput of legitimate traffic even under a meek attack.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

HAN Xinhui,LI Chen,XIAO Xiangquan,LIU Bingshuang,YE Jiayi

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2016.23.008

2016-01-01

Abstract:P2P live video systems are widely used in today's Internet.Compared with eMule/BitTorrent and other traditional P2P file-sharing systems,a P2P live video system has higher requirements on real time data,which becomes vulnerable weakness.Delay attack,with strong concealment,is potentially lethal for large P2P video broadcasting systems.Theoretical security threats of popular P2P live video systems were analyzed to propose three types of delay attack based on Eclipse attack,No-Offer attack,Delay Chunk attack,and No-Chunk attack,with a high-availability defense strategy against delay attack being developed.Experiments were made on PlanetLab based on PeerStreamer,which proves the impact of delay attack and the effectiveness of the developed defense strategy.

Zhuotao Liu,Hao Jin,Yih-Chun Hu,Michael Bailey

DOI: https://doi.org/10.48550/arXiv.1709.05710

2017-09-17

Networking and Internet Architecture

Abstract:Volumetric attacks, which overwhelm the bandwidth of a destination, are among the most common DDoS attacks today. Despite considerable effort made by both research and industry, our recent interviews with over 100 potential DDoS victims in over 10 industry segments indicate that today's DDoS prevention is far from perfect. On one hand, few academical proposals have ever been deployed in the Internet; on the other hand, solutions offered by existing DDoS prevention vendors are not a silver bullet to defend against the entire attack spectrum. Guided by such large-scale study of today's DDoS defense, in this paper, we present MiddlePolice, the first readily deployable and proactive DDoS prevention mechanism. We carefully architect MiddlePolice such that it requires no changes from both the Internet core and the network stack of clients, yielding instant deployability in the current Internet architecture. Further, relying on our novel capability feedback mechanism, MiddlePolice is able to enforce destination-driven traffic control so that it guarantees to deliver victim-desired traffic regardless of the attacker strategies. We implement a prototype of MiddlePolice, and demonstrate its feasibility via extensive evaluations in the Internet, hardware testbed and large-scale simulations.

Zhuotao Liu,Yuan Cao,Min Zhu,Wei Ge

DOI: https://doi.org/10.48550/arXiv.1903.07796

2019-04-06

Abstract:Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. However, recent industrial interviews with over 100 security experts from more than ten industry segments indicate that DDoS problems have not been fully addressed. The reasons are twofold. On one hand, many academic proposals that are provably secure witness little real-world deployment. On the other hand, the operation model for existing DDoS-prevention service providers (e.g., Cloudflare, Akamai) is privacy invasive for large organizations (e.g., government). In this paper, we present Umbrella, a new DDoS defense mechanism enabling Internet Service Providers (ISPs) to offer readily deployable and privacy-preserving DDoS prevention services to their customers. At its core, Umbrella develops a multi-layered defense architecture to defend against a wide spectrum of DDoS attacks. In particular, the flood throttling layer stops amplification-based DDoS attacks; the congestion resolving layer, aiming to prevent sophisticated attacks that cannot be easily filtered, enforces congestion accountability to ensure that legitimate flows are guaranteed to receive their fair shares regardless of attackers' strategies; and finally the userspecific layer allows DDoS victims to enforce self-desired traffic control policies that best satisfy their business requirements. Based on Linux implementation, we demonstrate that Umbrella is capable to deal with large scale attacks involving millions of attack flows, meanwhile imposing negligible packet processing overhead. Further, our physical testbed experiments and large scale simulations prove that Umbrella is effective to mitigate various DDoS attacks.

Cryptography and Security

Mo Zhou,Yafei Dai,Xiaoming Li

DOI: https://doi.org/10.1155/2007/27958

2007-01-01

Abstract:The architecture of P2P file-sharing applications has been developing to meet the needs of large scale demands. The structured overlay network, also known as DHT, has been used in these applications to improve the scalability, and robustness of the system, and to make it free from single-point failure. We believe that the measurement study of the overlay network used in the real filesharing P2P systems can provide guidance for the designing of such systems, and improve the performance of the system. In this paper, we perform the measurement in two different aspects. First, a modified client is designed to provide view to the overlay network from a single-user vision. Second, the instances of crawler programs deployed in many nodes managed to crawl the user information of the overlay network as much as possible. We also find a vulnerability in the overlay network, combined with the character of the DNS service, a more serious DDoS attack can be launched.

Bingshuang Liu,Jun Li,Tao Wei,Skyler Berg,Jiayi Ye,Chen Li,Chao Zhang,Jianyu Zhang,Xinhui Han

DOI: https://doi.org/10.1016/j.comcom.2015.06.008

IF: 5.047

2015-01-01

Computer Communications

Abstract:Distributed reflective denial of service (DRDoS) attacks, especially those based on UDP reflection and amplification, can generate hundreds of gigabits per second of attack traffic, and have become a significant threat to Internet security. In this paper we show that an attacker can further make the DRDoS attack more dangerous. In particular, we describe a new DRDoS attack called store-and-flood DRDoS, or SF-DRDoS, which leverages peer-to-peer (P2P) file-sharing networks. An attacker can store carefully prepared data on reflector nodes before the flooding phase, to greatly increase the amplification factor of an attack. In this way, SF-DRDoS is more surreptitious and powerful than traditional DRDoS. We present two prototype SF-DRDoS attacks on two popular Kademlia-based P2P file-sharing networks, Mad and BT-DHT. Experiments in real-world environments showed that, this attack can achieve an amplification factor of 2400 on average in Mad, and reach an upper bound of attack bandwidth at 670 Gbps and 10 Tbps for Kad and BT-DHT, respectively. We also propose some candidate defenses to mitigate the SF-DRDoS threat. (C) 2015 Elsevier B.V. All rights reserved.

David Chunhu Li,Hsuan-Hao Tu,Li-Der Chou

DOI: https://doi.org/10.1016/j.compeleceng.2024.109307

IF: 4.152

2024-05-30

Computers & Electrical Engineering

Abstract:This paper presents a comprehensive system for detecting and defending against distributed denial-of-service (DDoS) and distributed reflective denial-of-service (DRDoS) flood attacks in software-defined networking (SDN) environments using Programming Protocol-Independent Packet Processors (P4). The proposed system introduces a hybrid intrusion statistical threshold algorithm (HISTA) that analyzes intrusion data statistics to identify potential malicious attacks. Upon detection, the system utilises P4 programmability to implement a custom defence mechanism on the P4 switch. A novel Uruk protocol header collaborates with HISTA for enhanced cross-layer attack detection and categorisation. The HISTA-Uruk mechanism selectively discards malicious packets while ensuring uninterrupted communication for legitimate packets, effectively preventing DDoS/DRDoS attacks. Extensive experiments validate the system's ability to efficiently detect and thwart various DDoS, DRDoS, and internal attacks, demonstrating its effectiveness in identifying threats and restoring impacted network connections across diverse attack scenarios.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Mingxing Liu,Ying Liu,Ke Xu,Lin He,Xiaoliang Wang,Yangfei Guo,Weiyu Jiang

DOI: https://doi.org/10.1109/msn53354.2021.00076

2021-01-01

Abstract:In recent years, Distributed Denial-of-Service (DDoS) attacks have become more rampant and continue to be one of the most serious security threats facing network infrastructure. In a classic DDoS attack, the attacker controls numerous bots from many sources to send a significant volume of traffic to flood the victim end or the bottleneck link. In practical networks, it is inefficient and costly to request all partner routers to collaboratively mitigate DDoS attacks. The common feature of DDoS attacks is the abnormal distribution of traffic to the victim. In this paper, we propose TAP, a collaborative DDoS mitigation framework, based on traffic-aware probabilistic packet marking (PPM). TAP enables the victim to select a few hit routers as collaborators to mitigate attack traffic efficiently depending on the traffic distribution. Our evaluation results show that TAP greatly reduces attack traffic within seconds and mitigate the damage caused by DDoS with less overhead, which demonstrates that TAP is an effective, efficient, and rapid-response scheme for collaborative DDoS mitigation.

Mo Zhou,Yafei Dai,Xiaoming Li

DOI: https://doi.org/10.1109/ISM.2006.5

2006-01-01

Abstract:The architecture of P2P file-sharing applications has been developing to meet the needs of large scale demands. The structured overlay network, also known as DHT, has been used in these applications to improve the scalability, robustness of the system, and to make it free from single-point failure. We believe that the measurement study of the overlay network used in the real file-sharing P2P systems can provide guidance for the designing of such systems, and improve the performance of the system. In this paper, we perform the measurement in two different aspects. First, the modified client provides view to the overlay network from a single user vision. Second, the instances of crawler programs deployed in many nodes managed to crawl the user information of the overlay network as much as possible. We find vulnerability in the overlay network, combined with the character of the DNS service; a more serious DDos attack can be launched

Xiaolin Chen,Hui Deng,Feng Wang,Mu Mu,Sanglu Lu

DOI: https://doi.org/10.1109/ICYCS.2008.509

2008-01-01

Abstract:In application-level DDoS attacks, attackers mimic legitimate client behavior by sending proper-looking requests via bots. The previous DDoS solutions focus on bandwidth flooding attacks, and have encountered significant difficulty in deployment. This paper presents a deployable architecture that counts the application-level DDoS attacks against Web servers by combining overlay and IP anycast. In this architecture, when a protected Web server is under attacks, the traffic to the server will be redirected to an overlay via IP anycast. The overlay nodes provide effective protection to the server by the distributed filter, the distributed traffic control, and also by building a temporary collaborative edge Web cache. We demonstrate that this novel architecture has strong incentives to deploy and is able to be deployed by a single ISP without any modifications to implementation of routers and end host. We then discuss its properties and design challenges.